BridgeToAgentGet the kit — $49
Legal

Privacy Policy

Last updated: 2026-05-06

This Privacy Policy explains what personal data BridgeToAgent (“we”, “us”) collects, why we collect it, how we use it, and the rights you have over it. We are committed to handling personal data lawfully, transparently, and with as little collection as possible.

This policy is written to comply with the EU General Data Protection Regulation (GDPR), the ePrivacy Directive, and equivalent regimes such as the UK GDPR.

1. Data controller

For the personal data described here, BridgeToAgent acts as the data controller. Contact: privacy@bridgetoagent.com.

2. What we collect

2.1 Information you provide

  • Site URL. The URL you submit on the home page so that we can crawl it on your behalf.
  • Payment details. Card and billing information is entered directly into Stripe’s checkout surface. We never see or store full card numbers. We receive only the metadata Stripe returns (customer email, payment status, the last 4 digits of the card, country).
  • Email correspondence. If you contact support, we keep the messages and your email address to respond.

2.2 Information collected automatically

  • Server logs. Standard request logs (IP address, user agent, timestamp, requested path, response status). Used for security, debugging, and rate limiting. Rotated regularly.
  • Analytics (only after explicit opt-in via the cookie banner). When granted, Google Analytics / Google Tag Manager records anonymized page-view and interaction events.
  • Marketing pixel (only after explicit opt-in via the cookie banner). When granted, the Meta Pixel records the same anonymized page-view event for ad measurement.

2.3 Google Ads Enhanced Conversions

When you complete a purchase and have granted marketing consent via the cookie banner, we use Google Ads Enhanced Conversions to measure the effectiveness of our ad campaigns. Specifically:

  • We collect your email address during the Stripe checkout process (lawful basis: contract — it is required to deliver your kit and receipt).
  • On the post-purchase confirmation page, your email address is passed to our Google Tag Manager container, which securely hashes it (SHA-256) in your browser before any data is transmitted to Google. Google never receives your email in plain text.
  • Google uses the hashed value solely to match the conversion to a prior ad click on a logged-in Google account, in order to attribute campaign performance. The match is performed on hashed data; non-matching hashes are discarded.
  • This data is processed in accordance with Google’s Enhanced Conversions privacy protocols and the data-processing terms agreed between us and Google.
  • If you decline marketing consent in the cookie banner, no Enhanced Conversions data is sent to Google.

3. Cookies & consent

On your first visit, we display a cookie-consent banner with three categories:

  • Strictly necessary — locked on. Required for the site to function (consent state itself, secure session for checkout). No identifiers are placed for tracking purposes.
  • Analytics — opt-in. Loads Google Tag Manager / GA4 if accepted.
  • Marketing — opt-in. Loads the Meta Pixel if accepted.

Your choice is stored in your browser’s localStorage under the key bta_consent_v1. You can change or revoke your choice at any time by clearing site data in your browser.

4. How we use your data

  • To deliver the kit you paid for (lawful basis: contract).
  • To process payments and prevent fraud (lawful basis: contract, legitimate interest).
  • To respond to support requests (lawful basis: legitimate interest).
  • To measure traffic and improve the product, only if you opted in (lawful basis: consent).

5. How long we keep it

  • Site URL & generated kit. Held in a short-lived cache for at most 6 hours so you can retry generation if it fails. Generated ZIPs expire from the download cache after 1 hour.
  • Payment metadata. Retained by Stripe per their own policy. We retain receipts as long as required by Swedish accounting law (typically 7 years).
  • Server logs. Up to 30 days.
  • Analytics events. Per the retention configured in our Google Analytics property (default 14 months).

6. Sub-processors

The following processors handle data on our behalf. Each is bound by contractual data-protection terms.

  • Stripe, Inc. — payments.
  • Firecrawl — server-side crawling of the URL you submit. Firecrawl receives the URL only.
  • Anthropic, PBC — generates the kit content. The crawled markdown of the URL you submit is sent to Anthropic. Anthropic does not train models on this input.
  • Vercel, Inc. — application hosting and edge delivery.
  • Google LLC — analytics and Google Ads Enhanced Conversions (only if you opted in to marketing consent). Email addresses sent for Enhanced Conversions are SHA-256 hashed in your browser before transmission.
  • Meta Platforms, Inc. — marketing pixel (only if you opted in).

7. International transfers

Some of our processors are headquartered in the United States. Where transfers leave the EEA, they are protected by the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.

8. Your rights under GDPR

You have the right to access, correct, port, restrict the processing of, or delete the personal data we hold about you. You also have the right to withdraw consent at any time and to lodge a complaint with your local data protection authority (in Sweden: IMY).

To exercise any of these rights, email privacy@bridgetoagent.com. We will respond within 30 days.

9. Security

All traffic is served over HTTPS. Secrets (API keys, signing keys) are held in environment variables and never reach the client. Generation tokens are HMAC-signed and single-use. We follow the principle of least privilege for third-party integrations.

10. Changes to this policy

We may update this policy. Material changes will be reflected by the “Last updated” date at the top. We encourage you to revisit periodically.

11. Contact

Privacy enquiries: privacy@bridgetoagent.com. General contact: hello@bridgetoagent.com.